Passkey/FIDO2 API Error Reference
This document lists common error codes, descriptions, and recommended resolutions for Passkey/FIDO2 registration and authentication flows using IDaaS.
IDaaS API Error Codes
| Error Code | Description | Resolution | HTTP Status |
|---|---|---|---|
max_fido_tokens | Maximum FIDO tokens reached | Check the number of passkeys for the user | 400 |
fido_register_no_challenge | No challenge found on server for registration | Retry registration process | 400 |
fido_token_invalid_name | Invalid passkey token name | Ensure passkey name is in correct format and within length limits | 400 |
fido_token_invalid_name_html | Invalid passkey token name (contains HTML) | Remove HTML content from passkey name | 400 |
fido_token_duplicate_name | Duplicate passkey name | Provide a unique passkey name | 400 |
fido_no_origin | No origin found in the registration request's clientDataJSON | Ensure the clientDataJSON contains a valid origin field | 400 |
fido_rpid_not_allowed | RPID in the request is not allowed | RPID should match the one the passkey is associated with | 401 |
fido_android_origin_not_allowed | Android origin is not allowed for the requested RPID | Ensure the Android app's SHA-256 certificate fingerprint is configured in the RPID allowlist for the matching relying party ID | 400 |
fido_multiple_rpid_match | Android origin matches multiple RPIDs in the allowlist | Include the rpId request parameter to explicitly specify the intended relying party ID | 400 |
fido_invalid_registration_response | Invalid registration data | Verify the registration input data | 400 |
fido_backup_eligible_not_allowed | Backup Eligible Check is not enabled in Passkey/FIDO2 policy settings | Enable the Backup Eligible Check in settings | 401 |
fido_multiple_metadata_statements | Multiple FIDO MDS metadata statements found for the same AAGUID | Contact support — the FIDO Metadata Service (MDS) contains duplicate entries for this authenticator's AAGUID | 400 |
fido_none_active | No passkey token registered/active | User must have an active passkey before initiating authentication | 403 |
fido_no_challenge | No challenge found for passkey authentication | Initiate authentication with challenge first | 400 |
fido_invalid_authentication_response | No fidoResponse parameter found in the request | Ensure fidoResponse parameter is not null | 400 |
fido_invalid_origin_param | Request parameter 'origin' is invalid | origin parameter should be in valid format. e.g. https://example.com | 400 |
fido_different_origin_rpid_request_param_not_allowed | Request parameters 'origin' and 'rpId' both can not be different | Check Request parameters are same in Authenticate Challenge API request | 400 |